| Summary: | 碩士 === 國立中央大學 === 資訊管理研究所 === 96 === The Distribution Intrusion Detection (DIDS) or Security Operation Center (SOC), when they want to integrate alerts, still have to overcome the following two problems:
1. DIDS and SOC often assume that they can get the alerts completely for no other condition, but in fact, only if the SOC operating inside a single company or manage by a trustable third part, else most companies are not willing to share the alerts collected from their security equipments, because they afraid that will reveal their privacy information accidently.
2. There are too many alerts, even have lots of false alerts, it make the managers hard to deal with. Security alerts often been low level information, that is hard to let managers realize the full attack scenario or purpose of attackers.
We propose a method for privacy-preserving and correlatable alerts translation. First, we use a method modify from K-anonymity to achieve privacy-preservation. Then we will prove when we protect the private information of alerts still have the correlation and analysis ability by using some kinds of correlation methods. Our research is base on the IDS which is popularly used to extend practicality of our method. First of our process is protecting the private information of alerts on the end-side IDS, and then share these alerts. By this reason, we can prevent the information of non-privacy-protecting alerts be intercepted by attackers when it transfer to SOC. Then sharing these alerts to SOC and do so integrating, analysis, and correlation process. Our final purpose is to make the private information of alerts be protected, so the uses can share their alerts with no worry. And when these alerts are privacy protected, they still have the analysis and correlation ability. It not only prevent the private information be misused by attackers, but also improve the willing of users for sharing.
|
|---|
